CortexXDRClient API Data Models
Actions
- class cortex_xdr_client.api.models.action_status.ActionStatuStr(**data)
- class cortex_xdr_client.api.models.action_status.GetActionStatus(**data)
- reply: GetActionStatusItem
- class cortex_xdr_client.api.models.action_status.GetActionStatusItem(**data)
- data: Optional[ActionStatuStr]
Alerts
- class cortex_xdr_client.api.models.alerts.Alert(**data)
-
- action: Optional[str]
- action_pretty: Optional[str]
- agent_data_collection_status: Optional[bool]
- agent_device_domain: Optional[str]
- agent_fqdn: Optional[str]
- agent_is_vdi: Optional[str]
- agent_os_sub_type: Optional[str]
- agent_os_type: Optional[str]
- agent_version: Optional[str]
- alert_id: Optional[str]
- attempt_counter: Optional[int]
- bioc_category_enum_key: Optional[str]
- bioc_indicator: Optional[str]
- category: Optional[str]
- contains_featured_host: Optional[bool]
- contains_featured_ip: Optional[bool]
- contains_featured_user: Optional[bool]
- deduplicate_tokens: Optional[str]
- description: Union[str, List[AlertDescriptionItem]]
- detection_timestamp: Optional[int]
- end_match_attempt_ts: Optional[int]
- endpoint_id: Optional[str]
- external_id: Optional[str]
- filter_rule_id: Optional[str]
- host_ip: Optional[List[str]]
- host_name: Optional[str]
- is_whitelisted: Optional[bool]
- local_insert_ts: Optional[int]
- mac: Optional[str]
- mac_address: Optional[List[str]]
- matching_service_rule_id: Optional[str]
- matching_status: Optional[str]
- mitre_tactic_id_and_name: Optional[List[str]]
- mitre_technique_id_and_name: Optional[List[str]]
- name: Optional[str]
- severity: Optional[AlertSeverity]
- source: Optional[str]
- starred: Optional[bool]
- class cortex_xdr_client.api.models.alerts.AlertDescriptionItem(**data)
- data_type: Optional[Any]
- dml_type: Optional[Any]
- dml_ui: Optional[bool]
- entity_map: Optional[Any]
- pretty_name: str
- render_type: str
- class cortex_xdr_client.api.models.alerts.AlertSeverity(value)
Severity of an alert.
- HIGH = 'high'
- LOW = 'low'
- MEDIUM = 'medium'
- UNKNOWN = 'unknown'
- class cortex_xdr_client.api.models.alerts.Event(**data)
- action_country: Optional[str]
- action_external_hostname: Optional[str]
- action_file_macro_sha256: Optional[str]
- action_file_md5: Optional[str]
- action_file_name: Optional[str]
- action_file_path: Optional[str]
- action_file_sha256: Optional[str]
- action_local_ip: Optional[str]
- action_local_port: Optional[str]
- action_process_causality_id: Optional[str]
- action_process_image_command_line: Optional[str]
- action_process_image_name: Optional[str]
- action_process_image_sha256: Optional[str]
- action_process_instance_id: Optional[str]
- action_process_signature_status: Optional[str]
- action_process_signature_vendor: Optional[str]
- action_registry_data: Optional[str]
- action_registry_full_key: Optional[str]
- action_registry_key_name: Optional[str]
- action_registry_value_name: Optional[str]
- action_remote_ip: Optional[str]
- action_remote_port: Optional[str]
- actor_causality_id: Optional[str]
- actor_process_causality_id: Optional[str]
- actor_process_command_line: Optional[str]
- actor_process_image_md5: Optional[str]
- actor_process_image_name: Optional[str]
- actor_process_image_path: Optional[str]
- actor_process_image_sha256: Optional[str]
- actor_process_instance_id: Optional[str]
- actor_process_os_pid: Optional[str]
- actor_process_signature_status: Optional[str]
- actor_process_signature_vendor: Optional[str]
- actor_thread_thread_id: Optional[str]
- agent_host_boot_time: Optional[str]
- agent_install_type: Optional[str]
- association_strength: Optional[str]
- causality_actor_causality_id: Optional[str]
- causality_actor_process_command_line: Optional[str]
- causality_actor_process_execution_time: Optional[str]
- causality_actor_process_image_md5: Optional[str]
- causality_actor_process_image_name: Optional[str]
- causality_actor_process_image_path: Optional[str]
- causality_actor_process_image_sha256: Optional[str]
- causality_actor_process_signature_status: Optional[str]
- causality_actor_process_signature_vendor: Optional[str]
- dns_query_name: Optional[str]
- dst_action_country: Optional[str]
- dst_action_external_hostname: Optional[str]
- dst_action_external_port: Optional[str]
- dst_agent_id: Optional[str]
- dst_association_strength: Optional[str]
- dst_causality_actor_process_execution_time: Optional[str]
- event_id: Optional[str]
- event_sub_type: Optional[str]
- event_timestamp: Optional[int]
- event_type: Optional[str]
- fw_app_category: Optional[str]
- fw_app_id: Optional[str]
- fw_app_subcategory: Optional[str]
- fw_app_technology: Optional[str]
- fw_device_name: Optional[str]
- fw_email_recipient: Optional[str]
- fw_email_sender: Optional[str]
- fw_email_subject: Optional[str]
- fw_interface_from: Optional[str]
- fw_interface_to: Optional[str]
- fw_is_phishing: Optional[str]
- fw_misc: Optional[str]
- fw_rule: Optional[str]
- fw_rule_id: Optional[str]
- fw_serial_number: Optional[str]
- fw_url_domain: Optional[str]
- fw_vsys: Optional[str]
- fw_xff: Optional[str]
- module_id: Optional[str]
- os_actor_causality_id: Optional[str]
- os_actor_effective_username: Optional[str]
- os_actor_process_causality_id: Optional[str]
- os_actor_process_command_line: Optional[str]
- os_actor_process_image_name: Optional[str]
- os_actor_process_image_path: Optional[str]
- os_actor_process_image_sha256: Optional[str]
- os_actor_process_instance_id: Optional[str]
- os_actor_process_os_pid: Optional[str]
- os_actor_process_signature_status: Optional[str]
- os_actor_process_signature_vendor: Optional[str]
- os_actor_thread_thread_id: Optional[str]
- story_id: Optional[str]
- user_name: Optional[str]
- class cortex_xdr_client.api.models.alerts.GetAlertsResponse(**data)
- reply: GetAlertsResponseItem
Endpoints
- class cortex_xdr_client.api.models.endpoints.Endpoint(**data)
-
- active_directory: Optional[Union[List[str], str]]
- alias: Optional[str]
- content_version: Optional[str]
- domain: Optional[str]
- endpoint_id: Optional[str]
- endpoint_name: Optional[str]
- endpoint_status: EndpointStatus
- endpoint_type: Optional[str]
- endpoint_version: Optional[str]
- first_seen: Optional[int]
- group_name: Optional[List[str]]
- install_date: Optional[int]
- installation_package: Optional[str]
- ip: Optional[List[str]]
- is_isolated: IsolateStatus
- isolated_date: Optional[str]
- last_content_update_time: Optional[int]
- last_seen: Optional[int]
- mac_address: Optional[List[str]]
- operational_status: Optional[str]
- operational_status_description: Optional[str]
- os_type: Optional[EndpointPlatform]
- scan_status: Optional[ScanStatus]
- users: Union[List[str], None, str]
- class cortex_xdr_client.api.models.endpoints.EndpointPlatform(value)
Enum for endpoint platform
- android = 'AGENT_OS_ANDROID'
- linux = 'AGENT_OS_LINUX'
- mac = 'AGENT_OS_MAC'
- macos = 'AGENT_OS_MACOS'
- windows = 'AGENT_OS_WINDOWS'
- class cortex_xdr_client.api.models.endpoints.EndpointStatus(value)
Enum for endpoint status
- connected = 'CONNECTED'
- disconnected = 'DISCONNECTED'
- lost = 'LOST'
- class cortex_xdr_client.api.models.endpoints.GetAllEndpointsResponse(**data)
- reply: List[LightEndpoint]
- class cortex_xdr_client.api.models.endpoints.GetEndpointResponse(**data)
- reply: GetEndpointResponseItem
- class cortex_xdr_client.api.models.endpoints.GetEndpointResponseItem(**data)
-
- result_count: Optional[int]
- total_count: Optional[int]
- class cortex_xdr_client.api.models.endpoints.IsolateStatus(value)
Enum for isolate status
- isolated = 'AGENT_ISOLATED'
- pending_isolation = 'AGENT_PENDING_ISOLATION'
- unisolated = 'AGENT_UNISOLATED'
- class cortex_xdr_client.api.models.endpoints.LightEndpoint(**data)
- agent_id: Optional[str]
- agent_status: Optional[str]
- agent_type: Optional[str]
- host_name: Optional[str]
- ip: Optional[List[str]]
- class cortex_xdr_client.api.models.endpoints.ResponseActionResponse(**data)
- reply: ResponseActionResponseItem
- class cortex_xdr_client.api.models.endpoints.ResponseActionResponseItem(**data)
- action_id: Optional[str]
- endpoints_count: Optional[int]
- status: Optional[int]
- class cortex_xdr_client.api.models.endpoints.ScanStatus(value)
Enum for scan status
- aborted = 'SCAN_STATUS_ABORTED'
- cancel = 'SCAN_STATUS_CANCEL'
- canceled = 'SCAN_STATUS_CANCELED'
- error = 'SCAN_STATUS_ERROR'
- in_progress = 'SCAN_STATUS_IN_PROGRESS'
- none = 'SCAN_STATUS_NONE'
- pending = 'SCAN_STATUS_PENDING'
- pending_cancellation = 'SCAN_STATUS_PENDING_CANCELLATION'
- success = 'SCAN_STATUS_SUCCESS'
Exceptions
- exception cortex_xdr_client.api.models.exceptions.InvalidResponseException(response, missing_items)
- exception cortex_xdr_client.api.models.exceptions.UnsuccessfulQueryStatusException(status)
Incidents
- class cortex_xdr_client.api.models.incidents.AlertDatums(**data)
- data: List[AlertsDatum]
- total_count: Optional[int]
- class cortex_xdr_client.api.models.incidents.AlertsDatum(**data)
- action: Optional[str]
- action_country: Optional[str]
- action_external_hostname: Optional[str]
- action_file_macro_sha256: Optional[str]
- action_file_md5: Optional[str]
- action_file_name: Optional[str]
- action_file_path: Optional[str]
- action_file_sha256: Optional[str]
- action_local_ip: Optional[str]
- action_local_port: Optional[int]
- action_pretty: Optional[str]
- action_process_causality_id: Optional[str]
- action_process_image_command_line: Optional[str]
- action_process_image_name: Optional[str]
- action_process_image_sha256: Optional[str]
- action_process_instance_id: Optional[str]
- action_process_signature_status: Optional[str]
- action_process_signature_vendor: Optional[str]
- action_registry_data: Optional[str]
- action_registry_full_key: Optional[str]
- action_registry_key_name: Optional[str]
- action_registry_value_name: Optional[str]
- action_remote_ip: Optional[str]
- action_remote_port: Optional[int]
- actor_causality_id: Optional[str]
- actor_process_causality_id: Optional[str]
- actor_process_command_line: Optional[str]
- actor_process_image_md5: Optional[str]
- actor_process_image_name: Optional[str]
- actor_process_image_path: Optional[str]
- actor_process_image_sha256: Optional[str]
- actor_process_instance_id: Optional[str]
- actor_process_os_pid: Optional[str]
- actor_process_signature_status: Optional[str]
- actor_process_signature_vendor: Optional[str]
- actor_thread_thread_id: Optional[str]
- agent_data_collection_status: Optional[str]
- agent_device_domain: Optional[str]
- agent_fqdn: Optional[str]
- agent_host_boot_time: Optional[str]
- agent_install_type: Optional[str]
- agent_is_vdi: Optional[str]
- agent_os_sub_type: Optional[str]
- agent_os_type: Optional[str]
- agent_version: Optional[str]
- alert_id: Optional[int]
- association_strength: Optional[str]
- attempt_counter: Optional[str]
- bioc_category_enum_key: Optional[str]
- bioc_indicator: Optional[str]
- case_id: Optional[int]
- category: Optional[str]
- causality_actor_causality_id: Optional[str]
- causality_actor_process_command_line: Optional[str]
- causality_actor_process_execution_time: Optional[str]
- causality_actor_process_image_md5: Optional[str]
- causality_actor_process_image_name: Optional[str]
- causality_actor_process_image_path: Optional[str]
- causality_actor_process_image_sha256: Optional[str]
- causality_actor_process_signature_status: Optional[str]
- causality_actor_process_signature_vendor: Optional[str]
- contains_featured_host: Optional[str]
- contains_featured_ip_address: Optional[str]
- contains_featured_user: Optional[str]
- deduplicate_tokens: Optional[str]
- description: Optional[str]
- detection_timestamp: Optional[int]
- dns_query_name: Optional[str]
- dst_action_country: Optional[str]
- dst_action_external_hostname: Optional[str]
- dst_action_external_port: Optional[str]
- dst_agent_id: Optional[str]
- dst_association_strength: Optional[str]
- dst_causality_actor_process_execution_time: Optional[str]
- end_match_attempt_ts: Optional[str]
- endpoint_id: Optional[str]
- event_id: Optional[str]
- event_sub_type: Optional[str]
- event_timestamp: Optional[str]
- event_type: Optional[str]
- external_id: Optional[str]
- filter_rule_id: Optional[str]
- fw_app_category: Optional[str]
- fw_app_id: Optional[str]
- fw_app_subcategory: Optional[str]
- fw_app_technology: Optional[str]
- fw_device_name: Optional[str]
- fw_email_recipient: Optional[str]
- fw_email_sender: Optional[str]
- fw_email_subject: Optional[str]
- fw_interface_from: Optional[str]
- fw_interface_to: Optional[str]
- fw_is_phishing: Optional[str]
- fw_misc: Optional[str]
- fw_rule: Optional[str]
- fw_rule_id: Optional[str]
- fw_serial_number: Optional[str]
- fw_url_domain: Optional[str]
- fw_vsys: Optional[str]
- fw_xff: Optional[str]
- host_ip: Optional[str]
- host_name: Optional[str]
- is_whitelisted: Optional[bool]
- local_insert_ts: Optional[int]
- mac: Optional[str]
- matching_service_rule_id: Optional[str]
- matching_status: Optional[str]
- mitre_tactic_id_and_name: Optional[str]
- mitre_technique_id_and_name: Optional[str]
- module_id: Optional[str]
- name: Optional[str]
- os_actor_causality_id: Optional[str]
- os_actor_effective_username: Optional[str]
- os_actor_process_causality_id: Optional[str]
- os_actor_process_command_line: Optional[str]
- os_actor_process_image_name: Optional[str]
- os_actor_process_image_path: Optional[str]
- os_actor_process_image_sha256: Optional[str]
- os_actor_process_instance_id: Optional[str]
- os_actor_process_os_pid: Optional[str]
- os_actor_process_signature_status: Optional[str]
- os_actor_process_signature_vendor: Optional[str]
- os_actor_thread_thread_id: Optional[str]
- severity: Optional[str]
- source: Optional[str]
- starred: Optional[bool]
- story_id: Optional[str]
- user_name: Optional[str]
- class cortex_xdr_client.api.models.incidents.GetExtraIncidentDataResponse(**data)
- class cortex_xdr_client.api.models.incidents.GetExtraIncidentDataResponseItem(**data)
- alerts: AlertDatums
- file_artifacts: AlertDatums
- network_artifacts: NetworkArtifacts
- class cortex_xdr_client.api.models.incidents.GetIncidentsResponse(**data)
- reply: GetIncidentsResponseItem
- class cortex_xdr_client.api.models.incidents.GetIncidentsResponseItem(**data)
-
- result_count: Optional[int]
- total_count: Optional[int]
- class cortex_xdr_client.api.models.incidents.Incident(**data)
- alert_categories: Optional[List[str]]
- alert_count: Optional[int]
- alerts_grouping_status: Optional[str]
- assigned_user_mail: Optional[str]
- assigned_user_pretty_name: Optional[str]
- creation_time: Optional[int]
- description: Optional[str]
- detection_time: Optional[int]
- high_severity_alert_count: Optional[int]
- host_count: Optional[int]
- hosts: Optional[List[str]]
- incident_id: Optional[str]
- incident_name: Optional[str]
- incident_sources: Optional[List[str]]
- low_severity_alert_count: Optional[int]
- manual_description: Optional[str]
- manual_score: Optional[int]
- manual_severity: Optional[str]
- med_severity_alert_count: Optional[int]
- mitre_tactics_ids_and_names: Optional[List[str]]
- mitre_techniques_ids_and_names: Optional[List[str]]
- modification_time: Optional[int]
- notes: Optional[str]
- resolve_comment: Optional[str]
- rule_based_score: Optional[int]
- severity: Optional[str]
- starred: Optional[bool]
- status: IncidentStatus
- user_count: Optional[int]
- users: Optional[List[str]]
- wildfire_hits: Optional[int]
- xdr_url: Optional[str]
- class cortex_xdr_client.api.models.incidents.IncidentStatus(value)
Incident Status Enum Represents the status of the incident.
- NEW = 'new'
- RESOLVED_AUTO_RESOLVE = 'resolved_auto_resolve'
- RESOLVED_DUPLICATE_INCIDENT = 'resolved_duplicate_incident'
- RESOLVED_FALSE_POSITIVE = 'resolved_false_positive'
- RESOLVED_KNOWN_ISSUE = 'resolved_known_issue'
- RESOLVED_THREAD_HANDLED = 'resolved_threat_handled'
- UNDER_INVESTIGATION = 'under_investigation'
- class cortex_xdr_client.api.models.incidents.NetworkArtifacts(**data)
- data: List[NetworkArtifactsDatum]
- total_count: Optional[int]
IoC
- class cortex_xdr_client.api.models.ioc.IoC(**data)
IoC Model Represents an Indicator of Compromise (IoC). The expiration_date is an integer representing the indicator’s expiration timestamp. This is a Unix epoch timestamp value, in milliseconds. If this indicator has no expiration, use Never. If this value is NULL, the indicator receives the indicator’s type value with the default expiration date. Valid values are: 7 days, 30 days, 90 days, or 180 days
- class_: str
- comment: str
- expiration_date: Optional[int]
- indicator: str
- reliability: IoCReliability
- reputation: Reputation
- severity: IoCSeverity
- class cortex_xdr_client.api.models.ioc.IoCReliability(value)
IoC Reliability Enum Represents the reliability of an IoC in a scale of A (best) to F (least)
- A: str = 'A'
- B: str = 'B'
- C: str = 'C'
- D: str = 'D'
- E: str = 'E'
- F: str = 'F'
- class cortex_xdr_client.api.models.ioc.IoCResponse(**data)
IoC Response Model Represents the response of the IoC API.
- reply: Optional[IoCResponseItem]
- class cortex_xdr_client.api.models.ioc.IoCResponseItem(**data)
IoC Response Item Model Represents the response item of the IoC API.
- success: bool
- validation_errors: List[ValidationError]
- class cortex_xdr_client.api.models.ioc.IoCSeverity(value)
IoC Severity Enum Represents the indicator’s severity. Valid values are: informational, low, medium, high, critical, or unknown
- critical: str = 'CRITICAL'
- high: str = 'HIGH'
- informational: str = 'INFORMATIONAL'
- low: str = 'LOW'
- medium: str = 'MEDIUM'
- unknown: str = 'UNKNOWN'
- class cortex_xdr_client.api.models.ioc.IoCType(value)
IoC Type Enum Represents the type of indicator. Allowed values:HASH, IP, DOMAIN_NAME, FILENAME
- DOMAIN_NAME: str = 'DOMAIN_NAME'
- FILENAME: str = 'FILENAME'
- HASH: str = 'HASH'
- IP: str = 'IP'
- class cortex_xdr_client.api.models.ioc.Reputation(value)
Reputation Enum Represents the reputation.
- BAD: str = 'BAD'
- GOOD: str = 'GOOD'
- SUSPICIOUS: str = 'SUSPICIOUS'
- UNKNOWN: str = 'UNKNOWN'
Scripts
- class cortex_xdr_client.api.models.scripts.GetScriptExecutionResults(**data)
- date_created: Optional[datetime]
- error_message: Optional[str]
- results: Optional[List[ScriptExecutionResult]]
- scope: Optional[str]
- script_description: Optional[str]
- script_name: Optional[str]
- class cortex_xdr_client.api.models.scripts.GetScriptMetadataResponse(**data)
- created_by: Optional[str]
- description: Optional[str]
- entry_point: Optional[str]
- is_high_risk: Optional[bool]
- linux_supported: Optional[bool]
- macos_supported: Optional[bool]
- modification_date: Optional[int]
- name: Optional[str]
- script_id: Optional[int]
- script_output_type: Optional[str]
- script_uid: Optional[str]
- windows_supported: Optional[bool]
- class cortex_xdr_client.api.models.scripts.GetScriptsExecutionStatus(**data)
- endpoints_aborted: Optional[int]
- endpoints_canceled: Optional[int]
- endpoints_completed_successfully: Optional[int]
- endpoints_expired: Optional[int]
- endpoints_failed: Optional[int]
- endpoints_in_progress: Optional[int]
- endpoints_pending: Optional[int]
- endpoints_pending_abort: Optional[int]
- endpoints_timeout: Optional[int]
- general_status: Optional[str]
- class cortex_xdr_client.api.models.scripts.GetScriptsResponse(**data)
- result_count: Optional[int]
- total_count: Optional[int]
- class cortex_xdr_client.api.models.scripts.Script(**data)
- created_by: Optional[str]
- description: Optional[str]
- is_high_risk: Optional[bool]
- linux_supported: Optional[bool]
- macos_supported: Optional[bool]
- modification_date: Optional[int]
- name: Optional[str]
- script_id: Optional[int]
- script_uid: Optional[str]
- windows_supported: Optional[bool]
- class cortex_xdr_client.api.models.scripts.ScriptExecutionResult(**data)
- domain: Optional[str]
- endpoint_id: Optional[str]
- endpoint_ip_address: Optional[List[str]]
- endpoint_name: Optional[str]
- endpoint_status: Optional[str]
- execution_status: Optional[str]
- failed_files: Optional[int]
- retention_date: Optional[int]
- retrieved_files: Optional[int]
- standard_output: Union[str, None, List[str]]